b' Pen\n   nsion Benefit\n         B       Guaran\n                      nty Corrporatio\n                                    on\n      Office\n           e of Ins\n                  specto\n                       or Gen\n                            neral\n                Aud\n                  dit Repo\n                         ort\n\n\n\n\n  Report on Internall Contro\n                           ols Relatted to th\n                                            he\nPension Bennefit Gua\n                   aranty Corporat\n                           C        tion\xe2\x80\x99s Fis\n                                             scal\nYear 2009\n     2    and 2008 Financia\n                   F        al Statem\n                                    ments Audit\n                                            A\n\n\n\n\n              Novem\n                  mber 12, 2009\n                                      AUD-2010--2 / FA-09-64\n                                                           4-2\n\x0c                       Pension Benefit Guaranty Corporation\n                                                       Office of Inspector General\n                                         1200 K Street, N.W., Washington, D.C. 20005-4026\n\n\n                                                                      November 12, 2009\n\nTo:            Patricia Kelly\n               Chief Financial Officer\n\nFrom:          Joseph A. Marchowsky\n               Assistant Inspector General for Audit\n\nSubject:       Report on Internal Controls Related to the Pension Benefit Guaranty\n               Corporation\xe2\x80\x99s Fiscal Year 2009 and 2008 Financial Statements Audit\n               (AUD-2010-2/FA-09-64-2)\n\n\nI am pleased to transmit the attached report prepared by Clifton Gunderson LLP resulting\nfrom their audit of the PBGC Fiscal Year 2009 and 2008 Financial Statements. The\npurpose of this report is to provide more detailed discussions of the specifics underlying\nthe significant deficiencies and material weakness reported in the internal control section\nof the combined Independent Auditor\xe2\x80\x99s Report dated November 12, 2009 (AUD-2010-1/\nFA-09-64-1). The attached management response to a draft of this report indicates\nmanagement\xe2\x80\x99s agreement with each recommendation and their commitment to addressing\nthe recommendations contained in the report and to remediating the associated material\nweakness.\n\nWe would like to take this opportunity to express our appreciation for the overall\ncooperation that Clifton Gunderson auditors and we received while performing the audit.\n\n\nAttachment\n\n\ncc: Vince Snowbarger             Robert Callahan                Pat Kieth\n    Stephen Barber               David Harvey                   Michael Zacour\n    Terrence Deneen              Beverly Hebron                 Ray Reigle\n    Richard Macy                 Lashon Lissimore               Noel Briscoe\n    Judith Starr                 Marlene Horne-Richards         Tod Ware\n    Israel Goldowitz             Steve Block                    Anand Kothari\n    Ted Winter                   Patricia Davis                 Samuel Norfleet\n    Marty Boehm                  Andrea Schneider               Bennie Hagans\n    John Greenburg               Margaret Hamilton              Candace Campbell\n    Walt Luiza                   Ken Oliver                     Michelle Gray\n    Wayne McKinnon               Srividhya Shyamsunder          Catherine Hammaker\n\x0c                 Report on Internal Controls Related to the \n\n                  Pension Benefit Guaranty Corporation\xe2\x80\x99s \n\n              Fiscal Year 2009 and 2008 Financial Statements \n\n\n\n                   Audit Report AUD-2010-2 / FA-09-64-2 \n\n\n\n                                   Contents\n\n\nSection I:     Independent Auditor\xe2\x80\x99s Report\n\nSection II:    Management Comments\n\n\n                                  Acronyms\n\nC&A            Certification and Accreditation\nCFS            Consolidated Financial System\nCOOP           Continuity of Operations Program\nEDM            Enterprise Data Model\nELAN           Enterprise Local Area Network\nFIPS PUB       Federal Information Processing Standards Publication\nFMFIA          Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982\nFY             Fiscal Year\nIAH            Information Assurance Handbook\nIPVFB          Integrated Present Value of Future Benefits\nISO            Information System Owner\nIT             Information Technology\nNIST SP        National Institute of Standards and Technology Special Publication\nOIG            Office of Inspector General\nOIT            Office of Information Technology\nOMB            Office of Management and Budget\nPAS            Premium Accounting System\nPBGC           Pension Benefit Guaranty Corporation\nPII            Personally Identifiable Information\nPPS            Premium and Practitioner System\nPRISM          Participant Records Information Systems Management\nRTM            Requirements Traceability Matrix\nTAS            Trust Accounting System\n\x0c   Report on Internal Controls Related to the \n\n    Pension Benefit Guaranty Corporation\xe2\x80\x99s \n\nFiscal Year 2009 and 2008 Financial Statements \n\n\n\n\n    Audit Report AUD-2010-2 / FA-09-64-2 \n\n\n\n\n\n                  Section I \n\n\n     Independent Auditor\xe2\x80\x99s Report \n\n\x0ca1\n                                                          \xc2\xa0\n                                                             \xc2\xa0\n\n\n\n                                     Pension Benefit Guaranty Corporation\n\n\nTo the Board of Directors, Management,\n and Inspector General of the\nPension Benefit Guaranty Corporation\nWashington, DC\n\n\nWe have audited the financial statements of the Pension Benefit Guaranty Corporation (PBGC)\nas of and for the year ended September 30, 2009, and have examined management\xe2\x80\x99s assertion\nincluded in PBGC\xe2\x80\x99s Annual Management Report about the effectiveness of the internal control\nover financial reporting (including safeguarding assets) and PBGC\'s compliance with certain\nprovisions of laws, regulations, and other matters, and have issued our combined report thereon\ndated November 12, 2009 (see OIG report AUD-2010-1/FA-09-64-1).\n\nWe conducted our audit and examination in accordance with auditing standards generally\naccepted in the United States of America; Government Auditing Standards, issued by the\nComptroller General of the United States; attestation standards established by the American\nInstitute of Certified Public Accountants; and OMB audit guidance.\n\nThe purpose of this report is to provide more detailed discussions of the specifics underlying the\nmaterial weakness reported in the internal control section of our combined report on PBGC\xe2\x80\x99s\nfiscal year (FY) 2009 financial statements. As reported in our combined report on PBGC\xe2\x80\x99s\nFY 2009 financial statements, we identified certain deficiencies in internal control that we\nconsider significant deficiencies, which combined constitute a material weakness.\n\nSummary\n\nPBGC protects the pensions of approximately 44 million workers and retirees in more than\n29,000 private defined benefit pension plans. Under Title IV of the Employee Retirement Income\nSecurity Act of 1974, PBGC insures, subject to statutory limits, pension benefits of participants\nin covered private defined benefit pension plans in the United States. To accomplish its mission\nand prepare its financial statements, PBGC relies extensively on information technology (IT).\nInternal controls over these operations are essential to ensure the confidentiality, integrity, and\navailability of critical data while reducing the risk of errors, fraud, and other illegal acts.\n\n\n\n\n11710\xc2\xa0Beltsville\xc2\xa0Drive,\xc2\xa0Suite\xc2\xa0300\xc2\xa0\nCalverton,\xc2\xa0MD\xc2\xa0\xc2\xa020705\xc2\xad3106\xc2\xa0\ntel:\xc2\xa0\xc2\xa0301\xc2\xad931\xc2\xad2050\xc2\xa0\nfax:\xc2\xa0301\xc2\xad931\xc2\xad1710\xc2\xa0\nwww.cliftoncpa.com\n                                                            1\n                                           Offices\xc2\xa0in\xc2\xa017\xc2\xa0states\xc2\xa0and\xc2\xa0Washington,\xc2\xa0DC\xc2\xa0   h\xc2\xa0\n\x0cOur review of IT controls covered general and selected business process application controls.\nGeneral controls are the structure, policies, and procedures that apply to an entity\xe2\x80\x99s overall\ncomputer systems. They include entity-wide security management, access controls,\nconfiguration management, segregation of duties and contingency planning controls. Business\nprocess application controls are those controls over the completeness, accuracy, validity,\nconfidentiality, and availability of transactions and data during application processing.\n\nOur review also included the integration of financial management systems to ensure effective\nand efficient interrelationships. These interrelationships include common data elements,\ncommon transaction processing, consistent internal controls, and transaction entry.\n\nAs noted in FY 2008 and previous financial statement audit reports, PBGC\xe2\x80\x99s systemic security\ncontrol weaknesses and the lack of an integrated financial management system posed\nincreasing and substantial risk to PBGC\xe2\x80\x99s ability to carry out its mission during FY 2009.\nCommunication between PBGC\xe2\x80\x99s key decision makers did not convey the urgent need for\ndecisive strategic decisions to correct fundamental weaknesses in PBGC\xe2\x80\x99s IT infrastructure and\nenvironment. Strategic IT decisions did not address these deficiencies and significant\nweaknesses. Furthermore, these weaknesses were not addressed in the status of corrective\nactions being reported. As a result, PBGC\xe2\x80\x99s attempt to address entity-wide security\nmanagement program deficiencies and systemic security control weaknesses at the root cause\nlevel had minimal effect.\n\nPBGC\xe2\x80\x99s decentralized approach to system development and configuration management has\nexacerbated control weaknesses and encouraged inconsistency in implementing strong\ntechnical controls and best practices. The influx of 620 plans for over 800,000 participants from\n2002-2005, contributed to PBGC\xe2\x80\x99s disjointed IT development and implementation strategy. The\nmandate to meet PBGC\xe2\x80\x99s mission objectives by implementing technologies to receive the influx\nof plans superseded proper enterprise planning and IT security controls. The result was a series\nof stovepipe solutions built upon unplanned and poorly integrated heterogeneous technologies\nwith varying levels of obsolescence.\n\nPBGC\xe2\x80\x99s management is starting to take actions to correct control weaknesses by conducting an\nassessment of its Oracle database environment, initiating an IT Infrastructure modernization\nprogram, completing the Enterprise Architecture segment architecture, and implementing\nstrategic decisions on IT sourcing.\n\nOur current year audit work found deficiencies in the areas of security management, access\ncontrols, configuration management, and segregation of duties. Control deficiencies were also\nfound in policy administration, and the certification and accreditation of major applications and\ngeneral support systems. An effective entity-wide security management program requires a\ncoherent strategy for the architecture of the IT infrastructure, and the deployment of systems.\nThe implementation of a coherent strategy provides the basis and foundation for the consistent\napplication of policy, controls, and best practices. PBGC first needs to develop and implement a\nframework to improve their security posture. This framework will require time for effective control\nprocesses to mature.\n\nBased on our findings, we are reporting that significant deficiencies in the following areas\nconstitute a material weakness for FY 2009:\n\n   1. Entity-wide security program planning and management\n   2. Access controls and configuration management\n\n\n                                                2\n\n\x0c   3.\t Integrated financial management systems\n\nDetailed findings and recommendations follow.\n\nIn FY 2009, PBGC incorrectly reported progress in addressing weaknesses noted in its entity-\nwide information security management program to correct systemic security control weaknesses\nat the root cause level. The incorrect reporting in PBGC\xe2\x80\x99s status report impacted strategic\ndecisions to prioritize resources for resolving deficiencies in PBGC\xe2\x80\x99s IT infrastructure. PBGC\nhas initiated efforts in the reorganization and improvement of its security planning and\nmanagement through the design and implementation of a more coherent strategy to managing\nits information systems. However, these efforts are not completed and additional time is needed\nfor further strategy development and implementation.\n\n1.\t Entity-wide Security Program Planning and Management\n\n   During FY 2009, PBGC incorrectly reported progress in addressing entity-wide security\n   management weaknesses, which did not agree with its own assessment of the state of its IT\n   infrastructure and environment. PBGC\xe2\x80\x99s assessment of its IT infrastructure and environment\n   noted fundamental weaknesses in its architecture and design that prohibited the\n   implementation of effective controls. Communication between PBGC\xe2\x80\x99s key decision makers\n   did not convey the urgent need for decisive strategic decisions to correct weaknesses in\n   PBGC\xe2\x80\x99s IT infrastructure and environment. Resources were inappropriately allocated to\n   address control weaknesses that could not be resolved until fundamental IT architecture and\n   design issues have been mitigated. The sixty-five (65) common security controls PBGC\n   previously identified and documented, could not be implemented, despite PBGC\xe2\x80\x99s reporting\n   that they have implemented forty-five (45) of them. Furthermore, PBGC was unable to\n   complete the certification and accreditation (C&A) of thirteen (13) major applications and\n   general support systems, although management reported the C&As were completed.\n   PBGC\xe2\x80\x99s quality control review of the C&A packages did not correct specific issues we\n   identified in FY 2008. The C&A packages were deficient in their quality, accuracy, and\n   consistency. PBGC has not updated its Information Assurance Handbook (IAH) to reflect\n   changes in its IT policies and procedures. Consequently, management\xe2\x80\x99s objective to resolve\n   prior year control weaknesses was not achieved.\n\n   PBGC\xe2\x80\x99s entity-wide security program lacks focus and a coordinated effort to adequately\n   resolve control deficiencies. These deficiencies prevent PBGC from implementing effective\n   security controls to protect its information from unauthorized access, modification, and\n   disclosure. The specific weaknesses we found that contributed to the material weakness\n   and our recommendations to correct them are as follows:\n\n   \xe2\x80\xa2\t PBGC has identified sixty-five (65) common security controls for the seventeen (17)\n       NIST SP 800-53, Recommended Security Controls for Federal Information Systems,\n       security control families. Of the 65 common security controls tested by PBGC, only four\n       controls were properly designed and operating effectively. Weaknesses in PBGC\xe2\x80\x99s\n       infrastructure design and deployment strategy for systems and applications have\n       adversely affected its ability to effectively implement common security controls across its\n       systems and applications. Without full development and implementation, security\n       controls are inadequate; responsibilities are unclear, misunderstood, and improperly\n       implemented; and controls are inconsistently applied. Such conditions lead to insufficient\n       protection of sensitive or critical resources or disproportionately high expenditures for\n       controls.\n\n\n                                                3\n\n\x0c   Consequently, PBGC has not completed and confirmed the design, implementation, and\n   operating effectiveness of its common security controls. Without testing control\n   processes, management cannot have confidence that the controls were implemented.\n\n   Recommendations:\n\n   o\t Effectively communicate to key decision makers the state of PBGC\xe2\x80\x99s IT infrastructure\n      and environment to facilitate the prioritization of resources to address fundamental\n      weaknesses. (OIG Control Number FS-09-01)\n\n   o\t Complete and confirm the design, implementation, and operating effectiveness of all\n      65 common security controls identified. (OIG Control Number FS-08-01)\n\n   o\t Develop a process to review and validate reported progress on the implementation of\n      the common security controls. Implement a strategy to test and document the\n      effectiveness of each new control implemented. (OIG Control Number FS-09-02)\n\n\xe2\x80\xa2\t PBGC\xe2\x80\x99s process for the completion of C&A packages in accordance with NIST SP 800\xc2\xad\n   37, Guide for the Security Certification and Accreditation of Federal Information Systems\n   is ineffective. Fundamental weaknesses in PBGC\xe2\x80\x99s infrastructure architecture and\n   design do not support the certification and accreditation of its information systems.\n   Furthermore, PBGC\xe2\x80\x99s information systems employ obsolete and antiquated technologies\n   that pose additional risk to the availability of financially significant systems. In FY 2009,\n   PBGC asserted to have completed 13 C&A packages for its major applications and\n   general support systems. Significant deficiencies noted in access controls and\n   configuration management do not support this assertion.\n\n   PBGC\xe2\x80\x99s quality control review of the C&A packages did not correct specific issues we\n   identified in FY 2008. In addition, PBGC\xe2\x80\x99s oversight of contractor performance during the\n   C&A process was inadequate. The C&A packages were deficient in their quality,\n   accuracy, and consistency.\n\n   Our review of C&A packages noted the following quality control weaknesses, each of\n   which had been identified in our prior year audit:\n\n   -\t   Limited documentation of test results, a condition that prevented third-party\n        reviewers from re-performing, and thus validating, the tests.\n   -\t   Deficiencies not included in the Plan of Action & Milestones.\n   -\t   Documentation that did not support conclusions reached or test results.\n   -\t   Inconsistencies or apparent errors and/or omissions in work performed.\n   -\t   Information in the system boundaries section of the risk assessment conflicted with\n        the listing of external connections.\n   -    Minor applications identified in Security Control Worksheet, but not documented in\n        the Risk Assessment.\n\n   Management provided three conflicting inventory lists of major applications and general\n   support systems. Some systems considered major on one inventory list, were\n   considered minor on the others. We could not determine management\xe2\x80\x99s assertion\n   concerning the inventory of its major applications and general support systems. Because\n   of the contradictory information provided, we could not determine which of these lists\n\n\n                                            4\n\n\x0cshould be considered as management\xe2\x80\x99s assertion concerning the inventory of its major\napplications and general support systems. Therefore, we could not determine which\nmajor applications and general support systems require certification and accreditation.\n\nWithout management oversight and accountability of contractor\xe2\x80\x99s performance,\nmanagement may accept work that does not meet Federal criteria. Such practices may\nlead to fraud, waste, or abuse, and to insufficient protection of sensitive or critical\nresources. In addition, projects may exceed approved budget if rework is required.\nWithout monitoring contractor performance and performing a quality review of\ndeliverables, management cannot have confidence in the work performed.\n\nThe risk exists that systems could be certified, accredited, and receive an authorization\nto operate without the assurance that complete and accurate results are obtained in\nexecuting the C&A process. In addition, issues identified or missed because of\ninaccurate or incomplete work performed will impact the corrective action required along\nwith the resource commitment needed to complete the intended action.\n\nPBGC will not have reasonable assurance regarding the confidentiality, integrity, and\navailability of its information systems.\n\nRecommendations:\n\no\t Develop and implement a well-designed security management program that will\n   provide security to the information and information systems that support the\n   operations and assets of the Corporation, including those managed by contractors or\n   other Federal agencies. (OIG Control Number FS-09-03)\n\no\t Complete the development and implementation of the redesign of PBGC\xe2\x80\x99s IT\n   infrastructure, and the procurement and implementation of technologies to support a\n   more coherent approach to providing information services and information system\n   management controls. (OIG Control Number FS-09-04)\n\no\t Implement an effective review process to validate the completion of the certification\n   and accreditation packages for all major applications and general support systems.\n   The review should not be performed by an individual associated with the\n   performance of the C&A, or by someone who could influence the results. This review\n   should be completed for all components of the work performed to ensure substantial\n   documentation is available that supports and validates the results obtained. (OIG\n   Control Number FS-08-02)\n\no\t Ensure that adequate documentation is maintained which supports, substantiates,\n   and validates all results and conclusions reached in the C&A process. (OIG Control\n   Number FS-09-05)\n\no\t Establish and implement comprehensive procedures and document the roles and\n   responsibilities that ensure oversight and accountability in the certification and review\n   process. Retain evidence of oversight reviews and take action to address erroneous\n   or unsupported reports of progress. (OIG Control Number FS-09-06)\n\n\n\n\n                                         5\n\n\x0c   o\t Maintain an accurate and authoritative inventory list of major applications and\n      general support systems. Ensure the list is disseminated to responsible staff and\n      used consistently throughout PBGC OIT operations. (OIG Control Number FS-09\xc2\xad\n      07)\n\n   o\t Implement an independent and effective review process to validate the completion of\n      the certification and accreditation packages for all applications and general support\n      systems hosted on behalf of PBGC by third party processors. The effective review\n      should include examining host and general controls risk assessments. (OIG Control\n      Number FS-08-03)\n\n   o\t Implement robust and rigorous review procedures to verify that future contracts for\n      the Certification and Accreditation of PBGC\xe2\x80\x99s systems clearly outline expectations\n      and deliverables in the statement of work. (OIG Control Number FS-09-08)\n\n   o\t Implement a robust and rigorous quality review process to verify contractor C&A\n      deliverables meet the requirements specified in the statement of work. (OIG Control\n      Number FS-09-09)\n\n   o\t Establish controls to ensure that contract staff tasked with the C&A of PBGC\n      systems have the appropriate knowledge and background to accurately and\n      comprehensively complete the C&A process. (OIG Control Number FS-09-10)\n\n   o\t Implement a robust and rigorous process to verify compliance with PBGC\xe2\x80\x99s policy on\n      contractor management throughout the C&A lifecycle. (OIG Control Number FS-09\xc2\xad\n      11)\n\n\xe2\x80\xa2\t Information security policies and procedures were not fully disseminated and\n   implemented. PBGC is not able to effectively enforce compliance for Security\n   Awareness training. PBGC currently has a cumbersome and error-prone manual\n   process to account for personnel who have completed security awareness training. The\n   process is ineffective and limits PBGC\xe2\x80\x99s ability to ensure that all required personnel have\n   completed security awareness training. In FY 2008, PBGC developed role-based\n   training programs to disseminate its Information Assurance Handbook (IAH) policies and\n   procedures to information system owners (ISOs), system administrators, and project\n   managers. During our FY 2009 review, we noted that PBGC could not verify and validate\n   whether all required personnel have completed the Information Security Awareness and\n   Training. Some project managers, ISOs and system administrators did not attend the\n   risk management role-based training. The Contingency Plan Specialist was not aware of\n   IAH guidance on required annual contingency training. Fifteen (15) PBGC officials with\n   Continuity of Operations Program (COOP) responsibilities did not attend required annual\n   contingency training.\n\n   Lack of security awareness can lead to increased risk of security breaches and exposure\n   to fraud. Controls may not be placed in operation as mandated by PBGC policies.\n\n   Recommendation:\n\n   o\t Develop and implement a process to enforce the dissemination and awareness of\n      PBGC\xe2\x80\x99s security policies and procedures through adequate training. (OIG Control\n      Number FS-07-04)\n\n\n                                            6\n\n\x0c   \xe2\x80\xa2\t Office of IT (OIT) and system owners (i.e. business owners) have not established and\n      documented service level agreements that include metrics on OIT services required to\n      meet business goals. PBGC is in the process of completing the development and\n      distribution of measurable services provided to the business owners by the OIT.\n\n      Recommendation:\n\n      o\t Establish, document, and publish measurable services that OIT provides to the\n         Corporation, that are acceptable to all information system owners. (OIG Control\n         Number FS-07-06)\n\n2.\t Access Controls and Configuration Management\n\n   Although access controls and configuration management controls are an integral part of an\n   effective information security management program, access controls remain a systemic\n   problem throughout PBGC. PBGC\xe2\x80\x99s decentralized approach to system development, system\n   deployments, and configuration management has created an environment that lacks a\n   cohesive structure in which to implement controls and best practices. Weaknesses in the IT\n   environment contributed significantly to deficiencies in system configuration, segregation of\n   duties, role-based access controls, and monitoring. Furthermore, PBGC\xe2\x80\x99s information\n   systems are overlapping and duplicative, employing obsolete and antiquated technologies\n   that are costly to maintain. The state of PBGC\xe2\x80\x99s IT environment led to increased IT staffing\n   needs, manual workarounds, reconciliations, extensive manipulation, and excessive manual\n   processing that have been ineffective in providing adequate compensating controls to\n   mitigate system control weaknesses. For example, the Financial Reporting and Account\n   Analysis Group manually records present value of future benefits liabilities for single\n   employer and multiemployer programs in CFS, and the Financial Operations Department\n   manually records Premiums Income, Premiums Receivable, and Unearned Premiums in\n   CFS.\n\n   Access controls should be in place to consistently limit, detect inappropriate access to\n   computer resources (data, equipment, and facilities), or monitor access to computer\n   programs, data, equipment, and facilities. These controls protect against unauthorized\n   modification, disclosure, loss, or impairment. Such controls include both logical and physical\n   security controls to ensure that Federal employees and contractors will be given only the\n   access privileges necessary to perform business functions. Federal Information Processing\n   Standards Publication (FIPS PUB) 200, Minimum Security Requirements for Federal\n   Information and Information Systems, specifies minimum access controls for Federal\n   systems. FIPS PUB 200 requires PBGC\xe2\x80\x99s information system owners to limit information\n   system access to authorized users.\n\n   Industry best practices, NIST SP 800-64, Security Considerations in the System\n   Development Life Cycle, and other Federal guidance recognize the importance of\n   configuration management when developing and maintaining a system or network. Through\n   configuration management, the composition of a system is formally defined and tracked to\n   ensure that an unauthorized change is not introduced. Changes to an information system\n   can have a significant impact on the security of the system. Documenting information\n   system changes and assessing the potential impact on the security of the system, on an\n   ongoing basis, is an essential aspect of maintaining the security posture. An effective entity-\n   wide configuration management and control policy and associated procedures are essential\n\n\n                                               7\n\n\x0cto ensuring adequate consideration of the potential security impact of specific changes to an\ninformation system. Configuration management and control procedures are critical to\nestablishing an initial baseline of hardware, software, and firmware components for the\nentity and subsequently controlling and maintaining an accurate inventory of any changes to\nthe system.\n\nInappropriate access and configuration management controls do not provide PBGC with\nsufficient assurance that financial information and financial assets are adequately\nsafeguarded from inadvertent or deliberate misuse, fraudulent use, improper disclosure, or\ndestruction.\n\nThe specific weaknesses we found that contributed to the material weakness and our\nrecommendations to correct them are as follows:\n\n\xe2\x80\xa2\t PBGC\xe2\x80\x99s configuration management controls are labor intensive and ineffective.\n   Weaknesses in the design of PBGC\xe2\x80\x99s infrastructure and deployment strategy for\n   systems and applications created an environment where strong technical controls and\n   best practices cannot be effectively implemented. Configuration management controls\n   are therefore not consistently implemented across PBGC\xe2\x80\x99s general support systems.\n   PBGC\xe2\x80\x99s three IT environments (development, test, and production) do not share\n   common server configurations; therefore, management cannot rely on results obtained\n   in the development or test environments prior to deployment in production. Overall, the\n   PBGC environment suffers from inadequate configuration, roles, privileges, logging,\n   monitoring, file permissions, and operating system access.\n\n   PBGC\xe2\x80\x99s infrastructure does not adequately segregate the production, development and\n   testing environments. The current environment does not provide adequate controls in\n   which to implement an effective application development and change control program.\n\n   Significant weaknesses noted in configuration management include the following:\n\n   \xe2\x88\x92  Sensitive program scripts and utilities, open directories, and unsafe services\n      accounts were not restricted.\n   \xe2\x88\x92 Unnecessary network services and duplicate groups with privileged system access\n      were not removed.\n   \xe2\x88\x92 Not all security patches for Linux servers were installed.\n   \xe2\x88\x92 Baseline security reports were not being created and reviewed.\n   \xe2\x88\x92 Critical     files,  directories,     and    permissions     were   of   inappropriate\n      configuration/ownership.\n   \xe2\x88\x92 The root account could be logged into from multiple virtual consoles.\n   \xe2\x88\x92 The Premium Accounting System (PAS) resided on a database version that is\n      unsupported. Software versions no longer supported by the vendor, increased the\n      likelihood that new security vulnerabilities would be introduced and PBGC would not\n      be able to mitigate the vulnerabilities.\n   \xe2\x88\x92\t The hardware in place slated for disaster recovery operations of the Oracle database\n      environment was a single server configuration lacking the Central Processing Unit\n      and memory to maintain business functionality in the case of a total system failure to\n      the existing headquarters data center. Furthermore, the method in which database\n      replication was taking place from headquarters to the COOP installation is lacking in\n\n\n\n\n                                           8\n\n\x0c     functionality and completeness, and would require a significant amount of subject\n     matter expert manual intervention, in the event of an actual system failure.\n\xe2\x88\x92\t   The production PBGC databases were operating on obsolete hardware at both the\n     server and storage area network layers. The hardware supporting the Oracle\n     database infrastructure has recently been identified by PBGC personnel as being\n     outdated, with the production of parts no longer occurring. The infrastructure housing\n     the production Oracle databases was actually found to demonstrate an unsupported\n     level of 75% at the host server level. The operating systems for these servers have\n     reached the end of service life phase 2, with minimal support being provided.\n\xe2\x88\x92\t   Developers had access to sensitive information in production by having direct\n     development access to production systems via a database link.\n\xe2\x88\x92\t   Development and test databases have database links directly connected to the\n     production database. This configuration of database links produces an inefficient,\n     difficult to manage, non-scalable Oracle database solution.\n\xe2\x88\x92\t   PBGC\xe2\x80\x99s storage area network system was obsolete. There are no new hard drives\n     being manufactured for the Sun 9980 systems in place for production database\n     storage.\n\xe2\x88\x92\t   The IT System Life Cycle Methodology is not consistently implemented across all\n     projects within PBGC. We reviewed the Product Quality Assurance audit summary of\n     the HP Service Manager 7 software implementation and noted that various critical\n     components were lacking such as:\n     o\t Weaknesses were noted in the approval, configuration management and change\n          control processes.\n     o\t Failure to obtain approval signatures on key documents and test artifacts.\n     o\t Incomplete Requirements Traceability Matrix (RTM).\n     o\t Failure to update the RTM resulting in lack of traceability between the\n          requirements and the test cases.\n     o\t Lack of evidence that key test activities were conducted in the test environment\n          as planned.\n\xe2\x88\x92\t   Backout plans for reversing system changes in case of an unexpected situation, is\n     not consistently documented.\n\nControls are not in place to ensure adequate consideration of the potential security\nimpacts due to specific changes to an information system or its surrounding\nenvironment. PBGC is exposed to increased risk of data modification or deletion.\nUnauthorized changes could occur undetected. Applications and critical business\nprocesses may not be restored in a timely manner in the event of a true disaster.\n\nRecommendations:\n\no\t Develop and implement procedures and processes for the consistent implementation\n   of common configuration management controls to minimize security weaknesses in\n   general support systems. (OIG Control Number FS-07-07)\n\no\t Develop and implement a coherent strategy for correcting IT infrastructure\n   deficiencies and a framework for implementing common security controls, and\n   mitigating the systemic issues related to access control by strengthening system\n   configurations and user account management for all of PBGC\xe2\x80\x99s information systems.\n   (OIG Control Number FS-09-12)\n\n\n\n\n                                         9\n\n\x0c   o\t Establish baseline configuration standards for all of PBGC\xe2\x80\x99s systems. (OIG Control\n      Number FS-09-13)\n\n   o\t Review configuration settings and document any discrepancies from the PBGC\n      configuration baseline. Develop and implement corrective actions for systems that do\n      not meet PBGC\xe2\x80\x99s configuration standards. (OIG Control Number FS-09-14)\n\n   o\t Ensure test, development and production databases are appropriately segregated to\n      protect sensitive information and also fully utilized to increase system performance.\n      (OIG Control Number FS-09-15)\n\n   o\t Establish interim procedures to implement available compensating controls (such as\n      establishing a test team to verify developer changes in production) until a\n      comprehensive solution to adequately segreagate test, development and production\n      databases can be implemented. (OIG Control Number FS-09-16)\n\n\xe2\x80\xa2\t PBGC\xe2\x80\x99s policies and practices have not effectively restricted the addition of unnecessary\n   and generic accounts to systems in production. Consequently, the number of\n   unnecessary and generic accounts grew over the years. PBGC management has not\n   determined if the removal of all legacy generic accounts would disrupt production\n   activities. PBGC reduced the number of unnecessary and generic accounts in FY 2009,\n   but this deficiency remains a security risk.\n\n   Failure to identify and remove unnecessary accounts from the system could result in\n   PBGC\xe2\x80\x99s systems being at an increased risk of unauthorized access/modification/deletion\n   of sensitive system and/or participant information.\n\n   Recommendation:\n\n   o\t Continue to remove unnecessary user and/or generic accounts. (OIG Control\n      Number FS-07-08)\n\n\xe2\x80\xa2\t Controls are not consistently implemented to appropriately segregate duties and grant\n   rights and privileges commensurate with the job functions and responsibilities. PBGC\n   does not have a coherent strategy for enforcing segregation of duties through strong\n   technical controls in its applications and general support systems. PBGC\xe2\x80\x99s decentralized\n   approach to system development and configuration management has exacerbated\n   inconsistency and control weaknesses in implementing strong technical controls to\n   enforce segregation of incompatible duties.\n\n   Incompatible duties and improper password management increases the potential risk of\n   fraud, errors and ommissions.\n\n   Recommendations:\n\n   o\t Consistently implement controls to appropriately segregate duties and grant rights\n      and privileges commensurate with the job functions and responsibilities. (OIG\n      Control Number FS-07-09)\n\n\n\n\n                                          10\n\n\x0c   o\t Assess the risk associated with lacking segregation of duties, password\n      management, and overall inadequate system configuration. Discuss risk with system\n      owners and implement compensating controls wherever possible. If compensating\n      controls cannot be implemented the system owner should sign-off indicating risk\n      acceptance. (OIG Control Number FS-09-17)\n\n\xe2\x80\xa2\t Developers have access to the production environment, which exposes PBGC to the risk\n   of unauthorized modification of the application, the circumvention of critical controls, and\n   unnecessary access to sensitive data. Weaknesses in the design of PBGC\xe2\x80\x99s\n   infrastructure and deployment strategy for legacy systems and applications created an\n   environment where developers have unrestricted access to production. PBGC has not\n   developed and implemented adequate compensating controls to restrict developer\xe2\x80\x99s\n   access to production. PBGC has not fully resolved infrastructure design issues, and\n   developed and implemented a coherent program to manage and maintain legacy\n   applications.\n\n   Failure to appropriately restrict privileged access to the production environment could\n   result in unauthorized access/modification/deletion to sensitive system and/or participant\n   information and the release of harmful code into the production environment.\n\n   Recommendations:\n\n   o\t Appropriately restrict developers\xe2\x80\x99 access to production environment to only\n      temporary emergency access. (OIG Control Number FS-07-10)\n\n   o\t Assess developers\xe2\x80\x99 access to production on all PBGC systems and determine if\n      access is required based on the security principles \xe2\x80\x9cneed to know and least\n      privilege\xe2\x80\x9d. If developers require access to a specific application, the reason should be\n      documented and management should sign-off indicating acceptance of the risk(s). In\n      all other instances developer access to production should be immediately removed.\n      (OIG Control Number FS-09-18)\n\n\xe2\x80\xa2\t Controls are not consistently applied to ensure that authentication parameters for\n   general support systems (e.g. Novell, Windows, SUN Solaris, Oracle, etc.) and\n   applications are in compliance with the IAH. PBGC\xe2\x80\x99s decentralized approach to system\n   development and configuration management has made it particularly difficult to\n   implement consistent technical controls across PBGC\xe2\x80\x99s many systems, platforms, and\n   applications.\n\n   Failure to follow secure build standards and reassign or remove unowned user files\n   provides internal and external attackers additional paths into PBGC\xe2\x80\x99s systems and could\n   result in an increased risk of unauthorized access, modification, or deletion of sensitive\n   system and participant information. These control weaknesses increase the risk for\n   fraud, waste and abuse.\n\n   Recommendations:\n\n   o\t Consistently apply controls to ensure that authentication parameters for PBGC\xe2\x80\x99s\n      general support systems (e.g. Novell, Windows, Sun Solaris, Oracle, etc.) and\n      applications are in compliance with the IAH. (OIG Control Number FS-07-11)\n\n\n\n                                           11\n\n\x0c   o\t Implement a manual review process whereby OIT periodically reviews systems for\n      compliance with baseline settings. (OIG Control Number FS-09-19)\n\n\xe2\x80\xa2\t PBGC is still in the process of identifying dependencies between databases,\n   applications, and operating systems in order to fully implement controls to lock out and\n   remove inactive and dormant accounts. However, there are still some PBGC systems\n   that have not implemented these controls. PBGC\xe2\x80\x99s configuration management\n   weaknesses have contributed significantly to its inability to effectively implement controls\n   to ensure the consistent removal and locking out of generic or dormant accounts.\n\n   Without full development and implementation of security controls, the lack of an effective\n   policy addressing lock out, inactive accounts, and dormant accounts provides another\n   control weakness that could be exploited and compromise the integrity, confidentiality\n   and availability of PBGC\xe2\x80\x99s systems and applications.\n\n   Recommendation:\n\n   o\t For the remaining systems, apply controls to lock out and remove inactive and\n      dormant accounts after a specified period in accordance with the IAH. (OIG Control\n      Number FS-07-12)\n\n\xe2\x80\xa2\t The OIT recertification process is incomplete and only addresses generic and service\n   accounts; it does not include all user and system accounts. In addition, the\n   Recertification of User Access Process, version 1.2, does not explicitly state that all\n   accounts (e.g. user, system, and service) across all platforms and applications will be re\xc2\xad\n   certified annually. PBGC\xe2\x80\x99s infrastructure design and configuration management\n   weaknesses have contributed significantly to its inability to effectively implement controls\n   to recertify all user and system accounts.\n\n   Unauthorized users could gain access to PBGC\xe2\x80\x99s data and personally identifiable\n   information (PII). Without periodic recertification of accounts (user, generic, service and\n   system) management does not have adequate assurance that only current authorized\n   users have access to PBGC resources.\n\n   Recommendation:\n\n   o\t Complete the implementation of the recertification process for all user and system\n      accounts. Continue to perform annual recertification and include all PBGC\xe2\x80\x99s\n      accounts (e.g. user, generic, service, and systems accounts) for general support\n      systems and major applications. (OIG Control Number FS-07-13)\n\n\xe2\x80\xa2\t Vulnerabilities found in key databases and applications include weaknesses in\n   configuration, roles, privileges, auditing, file permissions, and operating system access.\n   These PBGC system vulnerabilities are caused by an ineffective deployment strategy in\n   the development, test, and production environments. Ineffective system deployments\n   have resulted in an environment that is in disarray.\n\n   Security control weaknesses and vulnerabilities in key databases are not mitigated,\n   which adversely impacts the security and integrity of PBGC\xe2\x80\x99s development, test, and\n\n\n\n                                           12\n\n\x0c   production environments. PBGC is exposed to increased risk of data modification or\n   deletion. Unauthorized changes could occur, undetected.\n\n   Recommendations:\n\n   o\t Implement controls to remedy vulnerabilities noted in key databases and applications\n      such as weaknesses in configuration, roles, privileges, auditing, file permissions, and\n      operating system access. (OIG Control Number FS-07-14)\n\n   o\t Implement controls to remedy weaknesses in the deployment of servers,\n      applications, and databases in the development, test, and production environments.\n      (OIG Control Number FS-09-20)\n\n\xe2\x80\xa2\t Access request authorizations were not appropriately documented. PBGC has not fully\n   implemented controls to ensure Enterprise Local Area Network (ELAN) forms are\n   properly documented and maintained.\n\n   Failure to ensure proper authorization may expose PBGC\xe2\x80\x99s systems to inadequate\n   segregation of incompatible duties and unauthorized users having access to PBGC data\n   and PII.\n\n   Recommendation:\n\n   o\t Ensure that adequate documentation of access authorization is maintained by\n      implementing proper monitoring and enforcement measures in compliance with\n      approved policies and procedures. (OIG Control Number FS-07-15)\n\n\xe2\x80\xa2\t PBGC lacks an effective process to track contractors throughout their employment at\n   PBGC, including appropriate notifications of start dates and separation. Management\n   has reported that policies and procedures, to include PBGC directive PM 05-1, PBGC\n   Entrance on Duty and Separation Procedures for Federal and Contract Employees have\n   not been updated to provide effective enforcement of controls designed to track entrance\n   and separation of all Federal and contract employees.\n\n   Without full development and implementation, security controls are inadequate to\n   prevent contractors from having unauthorized access to PBGC\xe2\x80\x99s systems, applications,\n   and facilities.\n\n   Recommendations:\n\n   o\t Update and enforce directive PM 05-1, PBGC Entrance on Duty and Separation\n      Procedures for Federal and Contract Employees, to ensure contract personnel can\n      be tracked effectively. Also, ensure a formal Entrance on Duty and Separation\n      Clearance process is followed. (OIG Control Number FS-07-16)\n\n\xe2\x80\xa2\t Periodic logging and monitoring of security-related events for PBGC\xe2\x80\x99s applications were\n   inadequate CFS, PAS, Trust Accounting System (TAS), Participant Records Information\n   Systems Management (PRISM), and Integrated Present Value of Future Benefits\n   (IPVFB) System. PBGC\xe2\x80\x99s IT infrastructure consist of multiple legacy systems and\n   applications (e.g. PAS, TAS, IPVFB, PRISM, GENESIS database, Solaris 8, Oracle 8i,\n\n\n\n                                          13\n\n\x0c      Novell NetWare 5.1, Windows NT, etc.) that do not have a coherent architecture for the\n      management and security of these systems.\n\n      Controls are not in place to ensure adequate consideration of the potential security\n      impacts due to specific changes to an information system or its surrounding\n      environment. PBGC is exposed to increased risk of data modification or deletion.\n      Unauthorized changes could occur, undetected.\n\n      Recommendation:\n\n      o\t Implement a logging and monitoring process for application security related events\n         and critical system modifications (e.g. CFS, PAS, TAS, PRISM, and IPVFB). (OIG\n         Control Number FS-07-17)\n\n3.\t Integrated Financial Management Systems\n\n   The risk of inaccurate, inconsistent, and redundant data is increased because PBGC lacks a\n   single integrated financial management system. The current system cannot be readily\n   accessed and used by financial and program managers without extensive manipulation,\n   excessive manual processing, and inefficient balancing of reports to reconcile\n   disbursements, collections, and general ledger data.\n\n   OMB Circular A-127, Financial Management Systems, requires that Federal financial\n   management systems be designed to provide for effective and efficient interrelationships\n   between software, hardware, personnel, procedures, controls, and data contained within the\n   systems. This Circular states:\n\n      The term "single, integrated financial management system" means a unified set of\n      financial systems and the financial portions of mixed systems encompassing the\n      software, hardware, personnel, processes (manual and automated), procedures,\n      controls and data necessary to carry out financial management functions, manage\n      financial operations of the agency and report on the agency\'s financial status to central\n      agencies, Congress and the public. Unified means that the systems are planned for and\n      managed together, operated in an integrated fashion, and linked together electronically\n      in an efficient and effective manner to provide agency-wide financial system support\n      necessary to carry out the agency\'s mission and support the agency\'s financial\n      management needs.\n\n   OMB\xe2\x80\x99s Office of Federal Financial Management, formerly the Joint Financial Management\n   Improvement Program, Core Financial System Requirements document, lists the following\n   integrated financial management system attributes:\n\n   \xe2\x80\xa2\t Standard data classifications (definition and formats) established and used for recording\n      financial events.\n   \xe2\x80\xa2\t Common processes used for processing similar kinds of transactions.\n   \xe2\x80\xa2\t Internal controls over data entry, transaction processing, and reporting applied\n      consistently.\n   \xe2\x80\xa2\t A system design that eliminates unnecessary duplication of transaction entry.\n\n\n\n\n                                             14\n\n\x0cBecause PBGC has not integrated its financial systems, PBGC\xe2\x80\x99s ability to accurately and\nefficiently accumulate and summarize information required for internal and external financial\nreporting is impacted. Many of the weaknesses included in this report were reported in prior\nyears. The specific weaknesses we found that contributed to the material weakness and our\nrecommendations to correct them are as follows:\n\nLack of standard data classifications and common data elements:\n\n\xe2\x80\xa2\t PBGC management has indicated that a logical database model (Enterprise Data Model\n   (EDM)) has been developed and is being revised. Elements of the EDM include the\n   general ledger, purchases, portfolio management, payroll, investment management,\n   financial institutions, budgeting, accounts receivable, and accounts payable. Until the\n   development and implementation of the EDM is complete, the current systems have no\n   centralized data catalog defining data elements or a common data access method\n   available for current databases.\n\xe2\x80\xa2\t The current decentralized database structure may lead to erroneous financial and\n   participant data. For example, the same data elements are required to be reformatted or\n   are used for different purposes across PBGC\'s various applications.\n\xe2\x80\xa2\t The current decentralized database structure may lead to outdated financial or\n   participant data. Because participant data must be reformatted and distributed to\n   multiple PBGC systems, users may be relying on outdated information to make business\n   decisions.\n\nDuplication of transaction entry:\n\n\xe2\x80\xa2\t Probable and multi-employer plan data initially entered into IPVFB must be manually re\xc2\xad\n   entered into a spreadsheet and then manually entered into CFS as adjusting journal\n   entries.\n\xe2\x80\xa2\t Plan data initially entered into the Case Management System application must be re\xc2\xad\n   entered into the TAS application\'s portfolio header.\n\xe2\x80\xa2\t Plan contingency listings are determined using data extracted from PAS. However, plans\n   with multiple filings must be manually aggregated before the plans can be classified.\n\xe2\x80\xa2\t Plan sponsor data address information must be manually entered into CFS to process\n   refunds.\n\nObsolete and antiquated technologies:\n\nPBGC\xe2\x80\x99s information systems employ obsolete and antiquated technologies that pose\nadditional risk to the availability of financially significant systems. These technologies are\nunsupported and add to the challenges to integrate PBGC\xe2\x80\x99s systems in an IT infrastructure\nthat lacks a cohesive architecture and design.\n\nA Federal agency\xe2\x80\x99s ability to effectively and efficiently maintain and modernize its existing IT\nenvironment depends primarily on how well it employs certain IT management controls that\nare embodied in statutory requirements, Federal guidance, and best practices. Among other\nthings, these controls include strategic planning and performance measurement, portfolio-\nbased investment management, human capital management, enterprise architecture (and\nsupporting segment architecture) development and use, and responsibility and\naccountability for modernization management.\n\n\n\n\n                                            15\n\n\x0cIf managed effectively, IT investments can have a dramatic impact on an organization\xe2\x80\x99s\nperformance and accountability. If not correctly managed, they can result in wasteful\nspending and lost opportunities for achieving mission goals and improving mission\nperformance. PBGC has had several false starts in modernizing its systems and\napplications that have either been abandoned, such as the suspension of work on the PPS\nto replace PAS, or have been ineffective in leading to the integration of its financially\nsignificant systems. Unless PBGC develops and implement a well designed IT architecture\nand infrastructure to guide and constrain modernization projects, it risks investing time and\nresources in systems that do not reflect the Corporation\xe2\x80\x99s priorities, are not well integrated,\nare potentially duplicative, and do not optimally support mission operations and\nperformance.\n\nTo its credit, PBGC has begun to develop an overall strategy, but much work remains before\nthe strategy can be completed and implemented. Steps PBGC has taken include the\nfollowing:\n\n1.\t PBGC has completed the identification of all systems that provide data required to\n    prepare the financial statements.\n\n2.\t PBGC has substantially completed the logical database model including standard data\n    definitions and formats to be used throughout the Corporation.\n\n3.\t PBGC has completed the development of segment architectures for CFS and Premium\n    Accounting. Segment Architectures will assist PBGC in identifying and planning financial\n    technology recommendations for implementation and alternative analysis for business\n    cases.\n\nMajor work remains to be completed to set the foundation for an integrated financial\nmanagement system, including the following:\n\n1.\t Incorporating the results of PBGC\xe2\x80\x99s Sourcing and Oracle Assessments in the Segment\n    Architecture to support the selection of best alternative for PBGC\xe2\x80\x99S new IT infrastructure.\n\n2.\t Completing Segment Architectures for all PBGC Architecture Segments.\n\n3.\t Mapping all legacy systems to PBGC\xe2\x80\x99s logical database model and identifying\n    discrepancies.\n\n4.\t Developing business cases for CFS and Premium Accounting IT Investments to support\n    budget request for system development.\n\n5.\t Developing and implementing new IT system solutions/functions in accordance with the\n    Financial Management Segment Architecture and strategic system plan.\n\n6.\t Completing alternative analysis studies for CFS and Premium Accounting.\n\n   Recommendation:\n\n   o\t PBGC needs to develop and execute a plan to integrate its financial management\n      systems in accordance with OMB Circular A-127. (OIG Control Number FS-07-18)\n\n\n\n                                            16\n\n\x0cThe status of the internal control report recommendations is presented in Exhibit I.\n\nThis report is intended for the information and use of the management and Inspector General of\nPBGC and is not intended to be and should not be used by anyone other than these specified\nparties.\n\n\nA1\xc2\xa0\nCalverton, Maryland\nNovember 12, 2009\n\n\n\n\n                                               17\n\n\x0c            EXHIBIT I - Status of Internal Control Report Recommendations\n                                          \xc2\xa0\nPrior Year Internal Control Report Recommendations Closed During FY 2009:\n\n  Recommendation           Date Closed            Original Report Number\n     FS-08-04               10/27/2009            AUD-2009-2/FA-08-49-2\n     FS-08-05               10/27/2009            AUD-2009-2/FA-08-49-2\n\nOpen Recommendations as of September 30, 2009:\n\n           Recommendation                               Report\n              Prior Years\'\n               FS-07-04                            2008-2/FA-0034-2\n               FS-07-06                            2008-2/FA-0034-2\n               FS-07-07                            2008-2/FA-0034-2\n               FS-07-08                            2008-2/FA-0034-2\n               FS-07-09                            2008-2/FA-0034-2\n               FS-07-10                            2008-2/FA-0034-2\n               FS-07-11                            2008-2/FA-0034-2\n               FS-07-12                            2008-2/FA-0034-2\n               FS-07-13                            2008-2/FA-0034-2\n               FS-07-14                            2008-2/FA-0034-2\n               FS-07-15                            2008-2/FA-0034-2\n               FS-07-16                            2008-2/FA-0034-2\n               FS-07-17                            2008-2/FA-0034-2\n               FS-07-18                            2008-2/FA-0034-2\n               FS-08-01                          AUD-2009-2/FA-08-49-2\n               FS-08-02                          AUD-2009-2/FA-08-49-2\n               FS-08-03                          AUD-2009-2/FA-08-49-2\n      FY Ended September 30, 2009\n               FS-09-01                          AUD-2010-2/FA-09-64-2\n               FS-09-02                          AUD-2010-2/FA-09-64-2\n               FS-09-03                          AUD-2010-2/FA-09-64-2\n               FS-09-04                          AUD-2010-2/FA-09-64-2\n               FS-09-05                          AUD-2010-2/FA-09-64-2\n               FS-09-06                          AUD-2010-2/FA-09-64-2\n               FS-09-07                          AUD-2010-2/FA-09-64-2\n               FS-09-08                          AUD-2010-2/FA-09-64-2\n               FS-09-09                          AUD-2010-2/FA-09-64-2\n               FS-09-10                          AUD-2010-2/FA-09-64-2\n               FS-09-11                          AUD-2010-2/FA-09-64-2\n               FS-09-12                          AUD-2010-2/FA-09-64-2\n               FS-09-13                          AUD-2010-2/FA-09-64-2\n               FS-09-14                          AUD-2010-2/FA-09-64-2\n               FS-09-15                          AUD-2010-2/FA-09-64-2\n               FS-09-16                          AUD-2010-2/FA-09-64-2\n               FS-09-17                          AUD-2010-2/FA-09-64-2\n               FS-09-18                          AUD-2010-2/FA-09-64-2\n               FS-09-19                          AUD-2010-2/FA-09-64-2\n               FS-09-20                          AUD-2010-2/FA-09-64-2\n\n\n\n\n                                         18\n\n\x0c   Report on Internal Controls Related to the \n\n    Pension Benefit Guaranty Corporation\xe2\x80\x99s \n\nFiscal Year 2009 and 2008 Financial Statements \n\n\n\n\n    Audit Report AUD-2010-2 / FA-09-64-2\n\n\n\n\n                 Section II \n\n\n         Management Comments \n\n\x0c      "v(\\\nPBGC\nProtecting America\'s Pensions\n                                Pension Benefit Guaranty Corporation \'\n                                1200 KStreet, N.W., Washington, D.C. 20005-4026\n\n\n    Office of the Director\n\n\n\n\n                                                     MEMORANDUM\n\n       November 12,2009\n\n       To:\t                  Rebecca Anne Batts\n\n                             Inspector General\n\n\n       From:\t                Vincent K. Snowbarger\n\n                             Acting Director\n\n\n       Subject:\t             Response to the Office of Inspector General\'s (01 G\' s) Draft\n\n                             Opinion on Internal Controls for FY 2009\n\n\n       Thank you for the opportunity to respond to the subject draft report. PBGC is committed to\n       addressing the recommendations contained in this report and to remediating the associated\n       material weakness. Management\'s own internal review process has largely corroborated the\n       findings in this year\'s audit, and I have accordingly increased management oversight of the\n       Information Technology (IT) operational area. Of the 37 recommendations in the draft report\n       on internal controls, 27 recommendations remain open from prior audit findings with which\n       management has already agreed, and we reiterate!\n                                                           that agreement below. We also agree with the\n       10 new recommendations. Thus, there are no reported recommendations requiring resolution\n       under Office of Management and Budget (OMB) Circular A-50.\n\n       We have provided our responses to each recommendation below, and we will be preparing top\xc2\xad\n       level corrective action plans (CAPs) in the near future, with additional specificity following that.\n       New management has only recently been installed over our IT operations, which are central to\n       the development and execution of upgraded and realistic corrective action plans for most of the\n       reported recommendations. As a result, over the next several months, we expect to make\n       changes in the priority and scheduling of specific recommendations. We will keep your office\n       informed of these developments. Overall, we anticipate that addressing these recommendations will\n       require at least three years of concerted effort, though I expect to see substantive progress in every year\n       moving forward.\n\n\n\n       The efforts of your office that went into preparing this detailed report are sincerely appreciated,\n       and management also appreciates the need to work together as we address the noted issues.\n\n       Entity-wide Security Program Planning and Management\n\n       1.         Recommendation: Effectively communicate to key -decision makers the state of\n\x0cPBGC\'s IT infrastructure and environment to facilitate the prioritization of resources to address\nfundamental weaknesses. (OIG Control Number FS-09-01)\n\nResponse: Management agrees. We would, in fact take the findings a step further.\nCommunication to key decision-makers did not convey the urgent need for decisive strategic\ndecisions and actions to correct fundamental weaknesses in PBGC\'s IT controls and security.\nFurther, in management\'s view, resources were inappropriately allocated, not simply because\nthey were put to control weaknesses that "could not be resolved until fundamental IT architecture\nand design issues have been mitigated," as the draft report has it, but even more significantly,\nbecause the approaches taken did not address the fundamental problems and did not include\neffective interim controls to mitigate risk and afford management the ability to address\nfundamental problems over the long term. This audit, corroborated by management\'s own work\nunder the Contracts and Controls Review Department, has helped to effect that communication.\nAs a result, management has taken appropriate actions to begin the remediation process.\n\n2.      Recommendation: Complete and confirm the design, implementation, and operating\neffectiveness of all 65 common security controls identified. (OIG Control Number FS-08-01)\n\nResponse: Management agrees. Management has itself tested the 65 common security controls\nover the past two years and has made measured progress, though much remains to be done.\n\n3.      Recommendation: Develop a process to review and validate reported progress on the\nimplementation of the common security controls. Implement a strategy to test and document the\neffectiveness of each new control implemented. (OIG Control Number FS-09-02)\n\nResponse: Management agrees. Please see the response to Recommendation 2, above.\n\n4.      Recommendation: Develop and implement a well-designed security management\nprogram that will provide security to the information and information systems that support the\noperations and assets of the Corporation, including those managed by contractors or other\nFederal agencies. (OIG Control Number FS-09-03)\n\nResponse: Management agrees. Management is committed to addressing the security issues\nnoted here and in Recommendations 5 and 18, and we will formulate a CAP with these in mind,\nto facilitate interim control needs and long-term IT effectiveness.\n\n5.      Recommendation: Complete the development and implementation of the redesign of\nPBGC\'s IT infrastructure and the procurement and implementation of technologies to support a\nmore coherent approach to providing information services and information system management\ncontrols. (OIG Control Number FS-09-04)\n\nResponse: Management agrees. Please see the response to Recommendation 4, above.\n\n6.      Recommendation: Implement an effective review process to validate the completion of\nthe certification and accreditation packages for all major applications and general support\nsystems. The review should not be performed by an individual associated with the performance\n\n\n\n                                                2\n\n\x0cof the C&A or by someone who could influence the results. This review should be completed\nfor all components of the work performed to ensure substantial documentation is available that\nsupports and validates the results obtained. (OIG Control Number FS-08-02)\n\nResponse: Management agrees. We are implementing a more rigorous review process to ensure\nthat future information provided is as accurate and reliable as possible.\n\n\n7.     Recommendation: Ensure that adequate documentation is maintained which supports,\nsubstantiates, and validates all results and conclusions reached in the C&A process. (OIG\nControl Number FS-09-05)\n\nResponse: Management agrees. We are validating the current inventory of our major\napplications and general support systems. In addition, we will implement a repeatable process to\ncontrol the accuracy of this inventory to include all Certification and Accreditation (C&A)\xc2\xad\nrelated artifacts.\n\n8.      Recommendation: Establish and implement comprehensive procedures and document\nthe roles and responsibilities that ensure oversight and accountability in the certification and\nreview process. Retain evidence of oversight reviews and take action to address erroneous or\nunsupported reports of progress. (OIG Control Number FS-09-06)\n\nResponse: Management agrees. We are fully committed to establishing and implementing\ncomprehensive procedures that document the roles and responsibilities that ensure oversight and\naccountability in the certification and review process. We will also retain evidence of oversight\nreviews and take appropriate action to address erroneous or unsupported reports of progress.\n\n9.      Recommendation: Maintain an accurate and authoritative inventory list of major\napplications and general support systems. Ensure the list is disseminated to responsible staff and\nused consistently throughout PBGC OIT operations. (OIG Control Number FS-09-07)\n\nResponse: Management agrees. Please see the response to Recommendation 7, above.\n\n10.    Recommendation: implement an independent and effective review process to validate\nthe completion of the certification and accreditation packages for all applications and general\nsupport systems hosted on behalf of PBGC by third party processors. The effective review\nshould include examining host and general controls risk assessments. (OIG Control Number\nFS-08-03)\n\nResponse: Management agrees. As part of our CAP, we will review and improve our C&A\nprocesses, roles, and responsibilities to ensure that the C&As have integrity.\n\n11.     Recommendation: Implement robust and rigorous review procedures to verify that\nfuture contracts for the Certification and Accreditation of PBGC\'s systems clearly outline\nexpectations and deliverables in the statement of work. (OIG Control Number FS-09-08)\n\n\n\n\n                                                3\n\n\x0cResponse: Management agrees. We have begun to initiate steps to rectify the condition cited,\nand we will develop and implement a CAP to fully address the issues associated with the C&A\nprocess, as well as the related contractor oversight.\n\n12.    Recommendation: Implement a robust and rigorous quality review process to verify\ncontractor C&A deliverables meet the requirements specified in the statement of work. (OIG\nControl Number FS-09 -09)\n\nResponse: Management agrees. Please see the response to Recommendation 11, above.\n\n13.   Recommendation: Establish controls to ensure that contract staff tasked with the C&A\nof PBGC systems have the appropriate knowledge and background to accurately and\ncomprehensively complete the C&A process.. (OIG Control Number FS-09-10)\n\nResponse: Management agrees. Please see the response to Recommendation 11, above.\n\n14.  Recommendation: Implement a robust and rigorous process to verify compliance with\nPBGC\'s policy on contractor management throughout the C&A lifecycle. (OIG Control\nNumber FS-09-11)\n\nResponse: Management agrees. Please see the response to Recommendation 11, above.\n\n15.   Recommendation: Develop and implement a process to enforce the dissemination and\nawareness of PBGC\'s security policies and procedures through adequate training. (OIG\nControl Number FS-07-04)\n\nResponse: Management agrees. We will identify the various roles and the related required\ntraining, and we will develop and follow a disciplined approach to ensuring the required training\nis received timely as part of our overall CAP.\n\n16.    Recommendation: Establish, document, and publish measurable services that OIT\nprovides to the Corporation, that are acceptable to all information system owners. (OIG Control\nNumber FS-07-06)\n\nResponse: Management agrees. As the audit report notes, PBGC is in the process of\ncompleting the development and distribution of measurable services that OIT provides to the\nbusiness owners. Moreover, we are fully committed to the completion of this effort, as it\nimpacts the work of the Corporation.\n\nAccess Controls and Configuration Management\n\n17.    Recommendation: Develop and implement procedures ,and processesfor the consistent\nimplementation of common configuration management controls to minimize security weaknesses\nin general support systems. (OIG Control Number FS-07-07)\n\n\n\n\n                                                4\n\n\x0cResponse: Management agrees . We are working to establish a CAP that fully addresses the\nimplementation of a sufficient configuration management program. In that effort, we will\nappreciate a continuing dialogue with your office regarding several of the specific conditions\nreported as findings in this year\'s report, as detailed in management\'s response to the related\nNotifications of Findings and Recommendations (NFRs), in order to gain clarification.\n\n18.     Recommendation: Develop and implement a coherent strategy for correcting IT\ninfrastructure deficiencies and a framework for implementing common security\' controls, and\nmitigating the systemic issues related to access control by strengthening system configurations\nand user account management for all\'ofPBGC\'s information systems. (OIG Control Number\nFS-09-12)\n\nResponse: Management agrees. Please secthe response to Recommendation 4, above.\n\n19.    Recommendation: Establish baseline configuration standards for all ofPBGC\'s\n\nsystems. (OIG Control Number FS-09-13)\n\nResponse: Management agrees. Please see the response to Recommendation 17, above.\n\n\n20.    Recommendation: Review configuration settings and document any discrepancies from\n\nthe PBGC configuration baseline. \\\' Develop and implement corrective actions for systems that do\n\nnot meet PBGC\'s configuration standards. (OIG Control Number FS-09-14)\n\n\nResponse: Management agrees. Please see the response to Recommendation 17, above.\n\n21.    Recommendation: Ensure test, development and production databases are appropriately\nsegregated to protect sensitive information and also fully utilized to increase system\nperformance. (OIG Control Number FS-09-15)\n\nResponse: Management agrees. As suggested by the audit report itself, this is a complex issue,\nwith multiple layers that need to be addressed. Management will develop a CAP that will\naddress the findings as outlined and establish compensating controls, as needed, during the\ndevelopment of longer term solutions.\n\n22.     Recommendation: Establish interim procedures to implement available compensating\ncontrols (such as establishing a test team to verify developer changes in production) until a\ncomprehensive solution to adequately segregate test, development and production databases can\nbe implemented. OIG Control Number FS-09-16)                      .\n\nResponse: Management agrees. Please see the response to Recommendation 21, above.\n\n23.     Recommendation: Continue to remove unnecessary user and/or generic accounts.\n        (OIG Control Number FS-07-08)\nResponse: Management agrees. We will develop\' and implement a CAP for establishing the\nEnterprise Security Program, with short-, medium-, and long-term goals. The objective of this\nenterprise-level CAP is to address the root causes of the auditor\'s Fiscal Year (FY) 2009 and\nprior year findings.\n\n\n\n                                                5\n\x0c24. Recommendation: Consistently implement controls to appropriately segregate duties and\ngrant rights and privileges commensurate with the job functions and responsibilities. (OIG\nControl Number FS-07-09)\n\nResponse: Management agrees. These findings, which originally arose in a prior audit, were\ncorroborated by management\'s own FY 2009 assessment of our Oracle database. Management\nis fully committed to the development of a CAP that addresses the root causes of these findings.\n\n25.    Recommendation: Assess the risk associated with lacking segregation of duties,\npassword management, and overall" inadequate system configuration. Discuss risk with system\nowners and implement compensating control\'s wherever possible. If compensating controls\ncannot be implemented the system owner should,sign-off indicating risk acceptance. (OIG\nControl Number FS-09-17)\n\nResponse: Management agrees. Please"see the response to Recommendation 24, above.\n\n26.     Recommendation: Appropriately restrict developers\' access to production environment\nto only temporary emergency access. (OIG Control Number FS-07-10)\n\nResponse: Management agrees. Management will develop and implement a CAP that\nappropriately restricts developers\' access to the production environment and documents any\nexigent access with the requisite management approval.\n\n\n27.     Recommendation: Assess developers\' access to production on all PBGC systems and\ndetermine if access is required based on the security principles "need to know and least\nprivilege". If developers require access to a specific application, the reason should be\ndocumented and management should sign-off indicating acceptance of the risk( s). In all other\ninstances developer access to production should be immediately removed. (OIG Control\nNumber FS-09-18)\n\nResponse: Management agrees. Please see the response to Recommendation 26, above.\n\n28.     Recommendation: Consistently apply controls to ensure that authentication parameters\nfor PBGC\'s general support systems (e.g. Novell, Windows, Sun Solaris, Oracle, etc.) and\napplications are in compliance with the IAH. (OIG Control Number FS-07-11)\n\nResponse: Management agrees. We will develop and implement a CAP that will ensure that\nauthentication parameters are compliant with the Information Assurance Handbook and that we\nperiodically review systems for compliance with baseline settings.\n\n29.    Recommendation: Implement a manual review process whereby OIT periodically\nreviews systems for compliance with baseline settings. (OIG Control Number FS-09-19)\n\nResponse: Management agrees. Please see the response to Recommendation 28, above.\n\n\n\n                                                6\n\n\x0c30.     Recommendation: For the remaining systems, apply controls to lock out and remove\ninactive and dormant accounts after a specified period in accordance with the IAH. (OIG\nControl Number FS-07-12)\n\nResponse: Management agrees. We will develop and implement corrective actions that will\nappropriately lock out and remove inactive and dormant accounts.\n\n31.    Recommendation: Complete the implementation of the recertification process for all\nuser and system accounts. Continue to perform annual recertification and include all PBGC\'s\naccounts (e.g. user, generic, service, and systems accounts) for general support systems and\nmajor applications. (OIG Control Number \'FS-07-13)\n\nResponse: Management agrees. We will complete the work that we have begun to implement\nthe recertification process as an ongoing annual one that includes all ofPBGC\'s accounts.\n\n32.    Recommendation: Implement controls to remedy vulnerabilities noted in key databases\nand applications such as weaknesses in configuration, roles, privileges, auditing, file\npermissions, and operating system access. (OIG Control Number FS-07~14)\n\nResponse: Management agrees. Management\'s own assessment of our Oracle environment\ncorroborated the finding of an earlier audit report, which led to this recommendation. The recent\nassessment provided additional information that will be useful in addressing this issue. We are\nfully committed to developing a CAP that will strengthen our controls to address the cited\nvulnerabilities and weaknesses.\n\n33.     Recommendation: Implement controls to remedy weaknesses in the deployment of\nservers, applications, and databases in the development, test, and production environments.\n(OIG Control Number FS-09-20)\n\nResponse: Management agrees. Please see the response to Recommendation 32, above.\n\n34.    Recommendation: Ensure that adequate documentation of access authorization is\nmaintained by implementing proper monitoring and enforcement measures in compliance with\napproved policies and procedures. (OIG Control Number FS-07-15)\n\nResponse: Management agrees. In formulating an appropriate CAP, we would like an\nopportunity to meet with the auditors to review their evidence regarding incomplete ELAN\nforms and remote access forms. This will enable us to better target corrective actions and\nmonitor progress.\n\n35.    Recommendation: Update and enforce directive PM 05-1, PBGC Entrance on Duty and\nSeparation Procedures for Federal and Contract Employees, to ensure contract personnel can be\ntracked effectively. Also, ensure a formal Entrance on Duty and Separation Clearance process is\nfollowed. (OIG Control Number FS-07-16)\n\n\n\n\n                                                7\n\x0cResponse: Management agrees. We have assigned the appropriate departments the task of\nreviewing and revising the related CAP to ensure that this issue is addressed.\n\n36.     Recommendation: Implement a logging and monitoring process for application security\nrelated events and critical system modifications (e.g. CFS, PAS , TAS , PRISM, and IPVFB).\n(OIG Cont rol Number FS-07-17)\n\nResponse: Management agrees. Management\'s own assessment of our Oracle database here\nagain corroborated an earlier related audit finding. We are committed to developing and\nimplementing a CAP that addresses this finding .\n\n37.   Recommendation: PBGC needs to develop and execute a plan to integrate its financial\nmanagement systems in accordance with OMB Circular A-127. (OIG Control Number FS-07\xc2\xad\n18)\n\nResponse: Management agrees. We appreciate the acknowledgement in the audit report of\nsteps that we have taken to move towards the more complete integration of our financial\nmanagement systems. We are committed to developing and acting upon a broader, cost -effective\nCAP that will more fully integrateour systems in accordance with OMB Circular A-127.\n\n\n\n\n                                             8\n\n\x0cIf you want to report or discuss confidentially any instance \n\n of misconduct, fraud, waste, abuse, or mismanagement, \n\n      please contact the Office of Inspector General. \n\n\n\n\n                       Telephone:\n\n            The Inspector General\xe2\x80\x99s HOTLINE\n\n                    1-800-303-9737\n\n\n  The deaf or hard of hearing, dial FRS (800) 877-8339\n\n   and give the Hotline number to the relay operator.\n\n\n\n\n                           Web:\n\n       http://oig.pbgc.gov/investigation/details.html\n\n\n\n\n                         Or Write:\n\n          Pension Benefit Guaranty Corporation\n\n               Office of Inspector General\n\n                     PO Box 34177\n\n             Washington, DC 20043-4177 \n\n\x0c'